locked
WSUS and Windows 10 Pro - Updates aren't getting installed RRS feed

  • Question

  • Hello everyone.  I have seen quite a few posts about Windows 10 and WSUS, but nothing seemed to be specific to my issue.  I run a single WSUS server on Windows Server 2012 R2.  Help > About gets me the version: 6.3.9600.18057.  We are just starting to get more Windows 10 Pro systems on our network and I thought it about time to fold them into our WSUS implementation that is primarily used to support our Windows 7 desktops.

    WSUS is currently configured to control update policy only, but directs ALL clients to download the update files from Microsoft.  It has been working quite well so far.  My problem started after configuring a GPO for Windows 10 workstations only.  My GPO options are configured as follows:

    Configure Automatic Updates - Enabled

    - 4 - Auto download and schedule the install

    - Install during automatic maintenance is unchecked.

    - Scheduled install day: 0-Every Day

    - Scheduled install time: 03:00

    Specify intranet Microsoft update service location - Enabled (Configured with the WSUS server using same settings as our Windows 7 clients)

    Automatic Updates Detection Frequency - Enabled (every 4 hours)

    Allow non-admins to receive update notifications - Enabled

    Turn on Software Notifications - Enabled

    Allow Automatic Updates immediate installation - Enabled

    Turn on recommended updates via Automatic Updates - Enabled

    Reschedule Automatic Updates scheduled installations - Enabled (Startup 60 min)

    Enable client-side targeting - Enabled (to file all windows 10 computers in a particular group)

    Allow signed updates from an intranet Microsoft update service location - Enabled

    Do not display 'Install Updates and Shutdown' option in Shut Down Windows dialog box - Disabled

    Do not connect to any Windows Update Internet locations - Disabled

    All other GPO options are set to "Not Configured".

    Ok, so the initial easy problem was that WSUS was detecting Windows 10 systems as they were checking in as Windows vista...  Hotfix applied and that issue is resolved.  However, as I am approving updates that are detected as "needed" on these Windows 10 computers, they are not being installed..  I can't figure this one out for the life of me.  I have one system that has 4 "needed" updates that are approved, yet you check for updates from that client and it happily reports that it is fully up to date....

    I have another system with 6 updates "needed" and it does the same thing.

    These workstations are obviously checking in with WSUS correctly as they are added to the client side targeting group successfully and I am able to report on their patch status.  It even increments the Last Status Report field on the computer object after I force the client to check for updates.

    At first I thought it might be that I had defer upgrades disabled..  I set that back to not configured and it didn't seem to have any impact.

    I found this hotfix available, but I am not completely sure it applies in my case:

    http://blogs.technet.com/b/wsus/archive/2015/12/04/important-update-for-wsus-4-0-kb-3095113.aspx

    The other thing I can seem to figure out is why two systems both patched by the same WSUS server seem to be running different versions of Windows 10? Winver command on one gives this build:

    Version 1511 (OS Build 10586.71)

    and the same winver command on a different system comes back as:

    Version 10.0 (Build 10240)

    What do I need to do to the GPO and/or WSUS server to install updates on Windows 10 clients and keep them at a consistent revision?

    Thanks for helping me clear this up.  The WSUS product seems to work just great with our Windows 7 clients, but folding in Windows 10 has proven to not be as easy as creating a GPO/WMI filter.  Bummer!

    This question was marked answered today for some reason...  It isn't..

    Tuesday, February 2, 2016 8:20 PM

Answers

  • Hello everyone.  It's been a long time since I posted this and just wanted to say that I am successfully patching Windows 10 with WSUS now.  I did have to apply a patch to our WSUS server to support Windows 10 at some point and because the builds of Windows 10 have changes so fast, I don't believe we are even running the same versions that we were at the time of my original post.  Anyway Windows 10 version 1703 or 1709 with the latest WSUS patches is working fine.  My standard GPO settings attached.
    Friday, February 2, 2018 5:28 PM

All replies

  • Don't use Help->About to check the version of WSUS, it's misleading/inaccurate in many cases. The WSUS server version is shown on the main WSUS console page and is the reliable indicator.

    So far I haven't seen any good write-ups on "the right settings for a Win10 WSUS client".
    Actually I haven't seen a good write-up for Win8 either.
    Lots of the settings, are poorly documented as to applicability to modern OS, and, the actual practical behaviour of those settings was always sketchy.

    Anyway, I'd usually advise to check the windowsupdate.log to see what's going on. But Win10 doesn't have that log. but you can use powershell to generate the log.

    It sounds like the client is performing detection and performing reporting but we don't know if it is seeing the Approval, performing Download, attempting install, etc.

    KB3095113 is the update which properly enables Win10 Upgrade functionality. (that's upGRADE, not upDATE). you should install this on your WS2012R2 WSUS. and then enable the upGRADES classification. you may need to take some corrective steps, if you have already/previously enabled the "upGRADES" classification.

    http://blogs.technet.com/b/wsus/archive/2016/01/30/quot-help-i-synched-upgrades-too-soon-quot.aspx

    Windows10 was originally released to market (RTM) as build version 10240. In November2015 the 1511 build 10586 was released as an upGRADE, and deployed via WU/MU online. MSFT will release upgrades 3 or 4 times per year and each time the version of Windows changes/increments.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, February 2, 2016 8:55 PM
  • by default, Win8/8.1/10, don't honour the traditional/classic AU scheduling/behaviour.

    Win8 introduced "automatic maintenance" which bundled up a bunch of different maintenance tasks including Automatic Updates into a scheduled task control.

    Win10 also introduced USO (Update Services Orchestrator) which is also involved in managing updating.

    Also there are metro/modern/store/universal apps introduced in Win8 which are mostly serviced from WU/MU.

    So, there are a number of significant differences in the modern OS's, and updating has significantly changed.

    It's not the same as Win7, not at all. WSUS is still basically the same guy, but the client has changed radically in the last 3 major releases of Windows..


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, February 2, 2016 9:00 PM
  • Hi ATyler,

    >I have one system that has 4 "needed" updates that are approved, yet you check for updates from that client and it happily reports that it is fully up to date....

    Have you checked the result of apply a simply GPO, just "Specify intranet Microsoft update service location" and "Configure Automatic Updates " with option "3". I have ever tested this GPO, it could detect update from WSUS server on win10.

    The WUA in window 10 seems works differently from WUA in win7 and other original OS, so it will appear some strange behavior that doesn't follow GPO settings. It's really a bother and as DonPick has pointed out, there are little documents to explain it recently.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Wednesday, February 3, 2016 9:30 AM
  • Hello everyone.  It's been a long time since I posted this and just wanted to say that I am successfully patching Windows 10 with WSUS now.  I did have to apply a patch to our WSUS server to support Windows 10 at some point and because the builds of Windows 10 have changes so fast, I don't believe we are even running the same versions that we were at the time of my original post.  Anyway Windows 10 version 1703 or 1709 with the latest WSUS patches is working fine.  My standard GPO settings attached.
    Friday, February 2, 2018 5:28 PM
  • Friday, February 2, 2018 8:53 PM